Cloud Security Today

Unraveling unmanageable apps

February 21, 2023 Matthew Chiodi Season 3 Episode 2
Cloud Security Today
Unraveling unmanageable apps
Show Notes Transcript

On this episode, co-founder and CEO of Cerby, Belsasar Lepe, joins Matt to talk about unmanageable applications (apps that don't support critical security standards like SSO and SCIM). Belsasar was previously the Head of Product at Impira, where he led the company's product life cycle, helping drive a 4x increase in revenue. Before his role at Impira, Bel was co-founder and CTO at Ooyala, where he led a global product, design, and engineering team of 300+ Ooyalans spanning five countries and seven offices. Ooyala achieved two successful exits totaling over $440M.

Belsasar talks about unmanageable applications, Shadow IT, and why password managers should be considered legacy tech. 


Timestamp Segments

·       [02:14] A bit about Belsasar.

·       [04:57] Unmanageable Applications.

·       [07:07] Shadow IT.

·       [11:04] Quantifying the risk.

·       [14:50] How to identify Unmanageable Apps.

·       [17:46] Using different tools.

·       [21:03] Where do password managers fall in?

·       [22:53] Is passwordless the future?

·       [25:29] How Cerby solves the problem.

·       [27:11] A Cerby success story.

·       [30:48] The future of the market.

·       [32:35] Migration to Cloud.

·       [35:03] How Belsasar stays fresh.


Notable Quotes

·       “The first task is understanding the size of the problem.”

·       “The initial point of entry is often an unmanageable application.”

·       “More businesses will rely on end users for their security.”

Cerby's website

Secure applications from code to cloud.
Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Narrator (00:02):

This is the Cloud Security Today Podcast, where leaders learn how to get cloud security done. And now your host Matt Chiodi.

Matt Chiodi (00:14):

Maybe I'll change things up a little bit this year, but one of the things I definitely want to do is introduce the audience to new start-ups. I think this is important, and what I'll try to do is make sure that when guests come on, yes, they have a product, but it's really to get into the problem that they're solving. I love startups, I'm currently at one, and selfishly, yes, this one is the company I work for. However, what's really important, and the thing that I love about start-ups is how they innovate and bring new solutions often to problems that have existed for a very long time, and that is no different. In this episode, we have CEO and Co-Founder Belsasar "Bel" Lepe of Cerby. He's going to talk about the unique challenge that they solve, and that is what they call unmanageable applications.

Matt Chiodi (01:08):

Now, I won't define for you what that is, therefore, you'll have to listen to the interview, but that is what we're going to talk about in this episode. And I can tell you based upon the fact that I've already done this interview, that this is a problem that every organization struggles; with, large and small. And so, if you have things that you want to hear about, maybe there's companies that you want to hear from, or maybe there's a specific challenge that you have that you think there's no vendor that's being solved or that's solving it yet, reach out. We want to hear from you. And if I could ask you one favor, wherever you listen to your podcasts, would you go in and give Cloud Security Today a five-star rating? We would love for you to do that. I didn't know before I started podcasting two years ago how much of a difference this makes. If you would take 30 seconds, maybe even right now, pause this and go and rate the podcast that would be awesome. I hope you enjoy the episode!

Matt Chiodi (02:07):

Bel, thank you for joining us today.

Belsasar "Bel" Lepe (02:08):

Thank you for having me, hello!

Matt Chiodi (02:11):

Alright, I'd love to just jump right into things. For those listeners who don't know you, tell us a little bit about your background. Like how did you become interested in cybersecurity?

Belsasar "Bel" Lepe (02:21):

Absolutely. So first and foremost my name is Bel Lepe, I'm the Founder and Co-Founder of Cerby. We're a company that was founded just before the pandemic. And we focus on identifying and securing unmanageable applications. If you take a step back and look at my background you might be surprised to see that I helped to co-find a cybersecurity company. This is actually my second company that I've helped co-found, my first company was in the media and entertainment space. A part of what attracted me to the cybersecurity spaces was, we worked with folks like HBO, ESPN, and Televisa. It was always very fascinating to me to see the level of rigor certainly from a security perspective that we were being put through when we were being evaluated as a vendor.

Belsasar "Bel" Lepe (03:17):

And especially after the Sony breach in 2013/2014 where the movie was breached and released ahead of time. After that it was a seminal moment in the main entertainment space, and so we were working with very high quality IP and the level of rigor that we were being put through before they decided to work with us, and then after they decided to work with us, making sure that, they were making sure that we weren't releasing Games of Thrones episodes early. And also that everything about our architecture and stack was upfront or as locked up as possible.

Belsasar "Bel" Lepe (04:04):

It always struck me, specifically because we started that company in 2007. The evolution that we saw over a seven to eight year period started to point out that security wasn't just something that an IT and security team was worried about. Everyone cared about it; for example, the folks over on the post and production side, and the folks that were writing the scripts. And that always very much stuck with me. When one of our customers reached out and said, Hey, I have this problem around unmanageable applications, it all connected for me. And, I realized that this is a very unique time in the history of the technology space. Everyone's going to be responsible for security, and so those are some of the events that led to me being very interested and ultimately pursuing building a company in this space.

Matt Chiodi (04:57):

Now, you mentioned the term unmanageable applications a couple times. Why don't you define that for us? I think people maybe have an idea of what that is, but why don't you tell us, how do you define unmanageable applications?

Belsasar "Bel" Lepe (05:12):

It's actually helpful to put it against a common backdrop that everyone can understand. The pandemic has accelerated this idea of IT being managed more at the edges, right? The moment we stopped going into an office on an everyday basis, whether IT and security teams were happy about it or not, we started to become more responsible for the technology that we use on a daily basis. And this caused an increase of technology spending occurring outside of IT and typical procurement processes. Now why is that relevant? Well, what we've started to see is there are many more applications that are simply outside the purview, or outside of the visibility of IT and security teams. And I'm not talking just about shadow IT, I'm also talking about applications that maybe the IT teams are aware of, but which don't support standards for single sign-on, and standards for provisioning and deprovisioning.

Belsasar "Bel" Lepe (06:17):

And so unmanageable applications refers to this domain of applications that are either unmanageable because IT and security teams are not aware of them. Or are unmanageable because they literally can't be managed because these applications can't interface with existing identity and security infrastructure. But again, it's important to note that this notion of unmanageability comes from this decentralization of who's responsible for technology and your typical information technology landscape at any enterprise. It's no longer the case where there is only one IT team or one security team that's responsible for this. Now increasingly every business user is responsible for it at any given company.

Matt Chiodi (07:05):

You mentioned shadow IT, which is a term that has been around for a long time, right? Probably it's been pushing for 7 or 10 years now. I don't know, I'd have to go look at Google Trends, but it's been around for a while. However, it sounds like there's a difference between the unmanageable applications and shadow IT. Give me a little bit of clarity, if someone says, "Well, it sounds like what you're describing is just shadow IT, but it sounds like it's not," help me with that.

Belsasar "Bel" Lepe (07:37):

There are two dimensions to those that I would say are very important. A shadow IT first and foremost, I think has a very negative connotation. You mentioned shadow IT more often than not to any person in the industry, and it almost has this connotation of maybe the IT team's not doing their job. There's something that's happening outside their purview and that's problematic. And so the reason why this is broader than shadow IT is, I would say that term has also become somewhat antiquated, right? Shadow, IT refers to this world where someone would go rogue and start to use applications without IT teams being aware of them. The reality is most IT teams have evolved away from that to understand that you actually need to engage the business user in the applications that are used across your enterprise. Therefore, I think it's an antiquated concept, better terms that I think better represent what this is, is business led IT or just IT. Some statistics actually put the amount of technology spending that occurs outside of IT and outside of procurement at 50% or higher. Shadow IT also wouldn't be correct anymore through that lens, because it's not in the shadows, it's just it. I think shadow IT is something of an antiquated concept, and most IT and procurement teams have moved away from this idea of one team being solely responsible for technology in the enterprise. The other reason why we also like unmanageable applications as a reference to this is that as detection technologies have become better in terms of detecting applications that are used across the enterprise the problem has shifted from discovery to remediation. And what increasingly is being determined is that actually a lot of these applications, even if you're aware of them, you can't manage them because of technical invitations in those applications themselves. For example, let's say that you are a major media and entertainment company, which means that you probably have a significant mobile presence for maybe your online TV shows, or your live streams.

Belsasar "Bel" Lepe (09:51):

Well, guess what to develop for the iOS platform, you are going to be managing separate username and password-based accounts to create your iOS application binaries and publish them. That ecosystem of mobile apps exists entirely outside of a corporate identity provider, like an Azure ID or an Okta. And so, even if you can onboard and offboard your engineers into GitHub, you can't do that for Apple. Therefore an Apple developer tenant is an example of an unmanageable application, which is business critical, but today you're managing a completely different and manual identity and access management life-cycle. And what we found is every business has hundreds, if not thousands of those applications that again, are business critical, but because they don't support SAML for single sign-on, nor do they support skim for user provisioning. You have to manage them separately and with manual compensating controls.

Matt Chiodi (10:43):

Or maybe not at all.

Belsasar "Bel" Lepe (10:45):

RIght, there are some cases where they are just not being managed.

Matt Chiodi (10:50):

Being a security practitioner for so many years, how do you quantify this massive risk?

Belsasar "Bel" Lepe (11:17):

It's a very large problem, however, before I put numbers behind it I'd say there are two things that we realize or we see very often when we reach out to folks about our solution. One is everyone's aware of this problem, but two, no one is really aware of the size of the problem. For example, of the 10,000 most used applications out there, only 61% of them support SAML. Therefore you're looking at about 40% that don't support SAML or Open ID for single sign-on. Now, of those same 10,000 applications that are most frequently used across the enterprise, only about 4 to 5% of them support user provisioning and deprovisioning. And so what you're basically talking about is, for a vast majority of the applications out there, you're probably still manually adding and removing users.

Belsasar "Bel" Lepe (12:08):

Let's quantify this in terms of risk. According to a recent report from productive, a SaaS intelligence platform, one out of every two applications used across the enterprise could be considered an unmanageable application. And then a corresponding study from Gartner states that these applications are then responsible for two out of every three cybersecurity breaches. Therefore not only are there a lot of these applications, they're also increasingly responsible for the vast majority of breaches. And if you take a step back and you think about it, it makes sense. Threat actors are not going to go after applications that are protected in Okta; it's hard. They're going to go after the applications that are using them in password based, where all they have to do is fish the user to get access to that application. And then once they're in that application, they can perform lateral moves to go after other high value systems.

Belsasar "Bel" Lepe (12:59):

And if you take a step back and look at many of the breaches that have happened over the last 5/7 years, the colonial pipeline hack, the fast company hack, guess what? The initial point of entry is often an unmanageable application. Therefore, that's all to say that this is a big problem, and it's one of those problems where it's just in front of you, but you don't realize that the common denominator is all of these applications that are still using them in the password base. They exist outside of your identity protection surface, and it's a very significant attack factor that is being exploited more and more.

Matt Chiodi (13:33):

Yes, I think one of the things that always struck me when I ran threat research at Palo Alto Networks; we had the best threat research experts in the world, and when we would summarize what we found, I was always taken aback by the fact that what was getting companies in the news was rarely ever a zero day or something like super sexy. It's never been done before, it was always the boring misconfigurations, or if we did something around identity and access management in the cloud, it was over provisioning. It was never the zero days that made it to the top 10. And it's the same thing if you look at, for example, the Verizon data breach reports that have been coming out for well over a decade now. They don't change that much in terms of the breach factors, they don't actually change that much year over year.

Matt Chiodi (14:21):

It's the kind of "boring" things that you're talking about that are essentially the leading cause of breaches. And so, if I had to summarize this, it sounds like unmanageable applications is not a new risk, it's one that's been around for a long time. It's just that there really hasn't been any good ways to deal with an app that maybe if it doesn't have SAML or skim support, there's just been no good way to really address this issue. Which brings up this question, if I'm someone listening and I'm thinking, "Okay, it sounds like I probably have dozens or more of these unmanageable applications in my environment," how do you go out there and identify these apps? If they wanted to try to figure out how quantifiable, how big of a risk is this to my company? Where should they start?

Belsasar "Bel" Lepe (15:13):

Their marketing and finance departments are usually two departments to start. If you've not invested in a CASB or something of that sort, it's usually a pretty good bet to go and meet with your marketing department. When you look at teams that innovate quickly, they're constantly looking at customer data, they need to be able to respond, and they're always adopting new applications. And they optimize much more for productivity versus security. You can always go meet with your marketing team and you'll probably find a couple of applications that are being used that maybe sit outside of your identity provider because it has been on boarded or because again, it doesn't support the capability set. Now, that's a way to do it to just dip your toe in the water and understand what the threat might be.

Belsasar "Bel" Lepe (16:06):

Beyond that, you could also reach out to Cerby. We do have discovery capabilities that allow us to today look at what are the subscriptions that users are signing up for in the browser. We're going to be augmenting that by adding the ability to scan email, and to scan credit card statements. Therefore there are discovery capabilities that we have as part of our platform, which are also available for free, because at the end of the day the first problem is understanding the size of the problem. And we can help with that. Now, once we've helped you understand the size of the problem, then there's our automation platform, and that's where we can help you close the gap between what you're doing from an identity and access management perspective and these applications that don't support the standard. A way of thinking about it is you need to have some form of a discovery program, you can do that manually by reaching out to your business users, and you can speak with us to help with discovery. And, let's be honest, CASBY and DLP also work quite well for anything that's happening on the corporate network. A part of the problem of course, though, is that increasingly there's more corporate activity happening outside of the corporate network. And so there is a question of how you detect that. And what you're probably getting a sense for is there's no silver bullet, right? If you really want to understand applications that are being used across your enterprise, you have to pursue a multi-pronged approach that looks at the network level, the user experience level, your email, or artefacts that are generated from these subscriptions. If you do that, you can get a really strong understanding of what applications are being used across your enterprise.

Matt Chiodi (17:46):

You mentioned a couple different tools there. I heard you mentioning a couple of identity and access management platforms like an Okta or an Azure AD, you also mentioned CASBY and DLP. Is that the typical approach? If someone's made an investment and we'll just use the two biggest Azure AD or Okta, are they able to address unmanageable applications with either one or both of those platforms? Where's there a gap?

Belsasar "Bel" Lepe (18:27):

So beginning with an Azure AD or Okta is absolutely a fantastic way to start. That is the cornerstone to making sure that you have a consistent approach to managing the IM lifecycle for your application. So that's often the most critical bit of infrastructure that is put in place. And once you have that, then yes, you can start to go after unmanageable applications. However, that's really where you also need Cerby to be able to bridge the gap between Okta or Azure AD and these applications. And let me be very clear about why that's the case. The identity provider platforms like Okta and Azure AD excels when the applications that they're managing support these standards for single sign-on or for provisioning and deprovisioning. The issue is there are a bunch of applications out there that do not.

Belsasar "Bel" Lepe (19:23):

And when those applications don't support those standards, the best that these platforms can do is simply manage the username and the password. And so, what Cerby can do is we can extend the full IM lifecycle from that identity provider to any application. Therefore, if it's a corporate bank account, or if it's a GoDaddy account that you use to manage your domain names, these are all examples of applications that don't support standards. And so today they can't be managed within your identity protection surface, and yes! We absolutely recommend starting with an identity provider like an Okta or an Azure AD. And once you have that investment, you can leverage a system like Cerby to really protect every application from a full IM lifecycle perspective.

Commercial (20:15):

Prisma Cloud secures infrastructure, applications, data and entitlements across the world's largest clouds, all from a single unified solution. With a combination of cloud service provider APIs in a unified agent framework, users gain unmatched visibility and protection. Prisma Cloud also integrates with any continuous integration and continuous delivery workflow to secure cloud infrastructure and applications early in development. You can scan infrastructure as code templates, container images, server-less functions, and more while gaining powerful full stack runtime protection. This is unified security for DevOps and security teams. To find out more, go to

Matt Chiodi (21:03):

Where do password managers or enterprise password managers, if we're talking about the enterprise, where do they fall into all of this? That's one thing I didn't hear you mention so far.

Belsasar "Bel" Lepe (21:13):

Typically password managers are where you put accounts and applications that you can't put in an identity provider. A good way of thinking about it is if something supports SAML, you're probably going to protect it in Okta, but if you can't, it's probably going to end up in a password manager. And that's where I actually think password managers are a big part of the problem. Going back to your point about the Verizon annual reports, more often than not, the biggest takeaways from the reports are that we, the user; we're the biggest vulnerability in the security chain. What is the most recent statistic? 85% of account takeovers are due to users doing something ill-advised with passwords. And guess what? Password managers still rely on end users to carry out the vast majority of tasks.

Belsasar "Bel" Lepe (22:04):

They might be able to tell you that your password was breached, but they won't go and update it for you. They leave mission critical security hygiene tasks to the end users. And so, in that sense, I actually believe that password managers are part of the problem. They're very manual, very archaic tools; and if you look at the industry leaders, they're all 10 plus years old using very old technology. If you want to fully address this problem of unmanageable applications, you can't think in terms of password management. You need to think in terms of full, I am lifecycle management. And that's where we take over from where our password manager drops off. We don't just manage the credentials, we manage the entire life cycle of that identity in a way that is consistent with the standard that an Okta or an Azure AD has set.

Matt Chiodi (22:53):

We talked a lot about passwords, so I think it'd be remiss because people are probably thinking, "Well, isn't the future passwordless?" 2021 and 2022 was all about zero trust and that's certainly not going away, right? I think budgets and everybody that I talked to says that they're doing something around zero trust. However, what I started to hear more in the second half of 2022 now being 2023 was, we want to start moving towards passwordless. And so you mentioned enterprise password managers, and you said they're part of the problem. Isn't passwordless going to solve all this for us?

Belsasar "Bel" Lepe (23:28):

Yes, and we are very supportive of passwordless. In fact our platform operates on a passwordless concept, which is to abstract and remove any reason for the user to have to know the password. When it comes to pass rotations, when it comes to onboarding or offboarding users, we can automate away all of that. Therefore you're not relying on the end user to have to carry out those actions for those applications where you otherwise have to do it manually. And so we're able to achieve a form of passwordless today even if the underlying applications haven't made the investments. Now, the other thing that I would mention though is like any standard, it's going to take some time to roll out. Today passwordless has a standard and there are a variety of different folks trying to create these standards, whether it's a five to two based or whatever the case is. That has less than 2% penetration across the 10,000 most frequently used applications.

Belsasar "Bel" Lepe (24:23):

We're still very much in the early innings of the rollout of passwordless. And, if you were to put that pessimist’s hat on, SAML as a standard has existed for 20 years. It was created in the early two thousands, and to hear it only has coverage of over 61% of the 10,000 most commonly used applications, well, it makes you wonder if you apply that to passwordless are we ever going to really be able to fully get rid of passwords. And so that's also where a solution like Cerby comes into play. The reality is it's going to take us some time to get to that passwordless future. And the stable state ideally is in the high 90%. But if you take a look at Skim, and if you take a look at SAML; Skim, by the way, has existed as a standard for 10 years. Eventually it reaches a plateau and sometimes that plateau is well south of 100% or 90% coverage.

Matt Chiodi (25:19):

That's pretty interesting, I didn't think about that...Alright, we've talked a little bit around it but let me just give you the floor so you can tell people who are listening; how does Cerby specifically solve this problem? We have mentioned a whole host from DLP to CASB, to identity and access management and to enterprise passwords. That's at least four different tools, so what does Cerby do differently?

Belsasar "Bel" Lepe (25:47):

The key difference is we do not limit our coverage of applications to those applications that expose standards or APIs to interface with them from an authorization perspective, authentication perspective, or from a security posture management perspective. What we've done is we've created a platform that allows us to be able to basically create our own APIs. This is our own point of programmatic control. Sometimes those APIs are backed by APIs in exchange, but more often than not, we're actually using robotic process automation to carry out an action, like onboarding a user or off onboarding a user. And what this allows us to do is to really go after that torso and long tail of applications that up until now, you couldn't connect to an identity provider. You couldn't connect to an IGA platform like a sale point. And so that's our core bit of technology, it's the fact that we can make any application accessible to CASBY, DLP, IDP, and IGA. A lot of TLAs, three letter acronyms there for you. And again, for the core bit of technology that we've generated, you can think of this as we've created an APIs for identity governance administration. We can make any application part of a broader IGA workflow because of our RPA technology.

Matt Chiodi (27:11):

Let's talk in terms of concrete examples, obviously you probably can't share names, but give me maybe an example of a success story where a customer deployed Cerby and they were able to secure an unimaginable application. What was the challenge and how do you quantify value around that?

Belsasar "Bel" Lepe (27:33):

One of the biggest used cases that we encounter is around user provisioning and deprovisioning. The quantification of the value can be thought of in terms of productivity, so that's time saved as well as security removing the impact. I'll use two separate examples, one is for a customer that we're working with, they're a big advertiser, and they recently had a situation where an employee left the business. They were deprovisioned from Okta, but this user was also leveraging social media advertising platforms through which tens of millions of dollars were transacted. The user was deprovisioned from Okta, but since the social media platforms that are used for advertising don't speak of scam, that user's access was not additionally removed from the social media advertising platforms. Within two weeks after leaving the business just south of a hundred million in advertising, a scam was redirected when that person's account was hacked.

Belsasar "Bel" Lepe (28:40):

That's what's at risk from a security perspective, when your off boarding procedures are not comprehensive. When they don't cover every application that is actually in use across your business. And there, I used a social media advertising example. It could also be your corporate bank accounts, because guess what, Silicon Valley Bank, and First Republic Bank all operate on a username and password based authentication protocol. They don't support SAML, and they don't support Skim. And as we've done an audit with our customers with the types of applications that fall into this bucket, a lot of CIOs, and a lot of CISOs are really surprised by the applications where there's a manual compensating control for off boarding. And so, that's the security example of where we were able to come in and make that off boarding action truly complete. The user gets removed from Okta, we then remove that access from every downstream application independent of the application's protocol support.

Belsasar "Bel" Lepe (29:36):

The second example I'll also use around provisioning is around productivity. We recently were working with a major player in the hospitality space, where for a number of applications, it was taking them 15 minutes to be able to add a new user. They had something like 10 to a 100 new employees joining on a regular basis because they're in the hospitality space; it's a pretty high turnover rate. They had to manually onboard each new employee into each of these applications on a regular basis. I mean, that's hours every day where they've had to go get a headcount dedicated to manually add users to these applications. Cerby can streamline that so that, again, they add someone to an Azure AD group, an Okta group, and then Cerby automatically goes and creates their accounts in these downstream applications. And so that's time saved that we're saving, and based on the math that we did that was basically two headcount that we were saving on an annual basis just by being able to automate the provisioning or onboarding process for this entity.

Matt Chiodi (30:48):

If you look into your crystal ball and you look out the next three to five years, how do you see the market for actually securing unmanageable applications? How do you see that evolving? What does that look like?

Belsasar "Bel" Lepe (31:02):

I think one of the most important tailwinds that you need to look at is the reality that enterprises are gonna become more reliant or rely more on their business users than not. You can't put that cat back in the bag, and you can't put that genie back in the bottle. More businesses are going to be relying on their end users for their security. And if we can all agree on that, then it's the case that the problem around unmanageable applications will only continue to grow. Let's be honest, your average business user is twice as likely to care about productivity as they are to care about security. This is a statistic from a player in the enterprise password management space. And so, what that means is, as enterprises are relying more on end users for the security, as hybrid workforces become more a way of the future, and that's the stable state, you're going to see more and more applications that are introduced into the business that IT and security teams need help managing.

Belsasar "Bel" Lepe (32:10):

And so, this is our view that decentralized identity, decentralized access management, automating more of those key security hygiene tasks for the end users, is going to become more important, not less important. And this is just because of the broader trends that we're seeing towards distributed work and decentralized technology spending.

Matt Chiodi (32:31):

Obviously there's been a trend of workloads moving to the cloud over the last five or so years. Last time I saw, it seems like on average most organizations have more than half of their workloads that are running in the cloud now. That mega trend, do you see that diminishing the amount of these unmanageable applications? Or do these unmanageable applications exist in equal proportions in the cloud and traditional on-prem applications? Is that going to impact us?

Belsasar "Bel" Lepe (33:06):

Great question! I'm going to potentially butcher the statistics.

Matt Chiodi (33:13):

We could put it in the show notes.

Belsasar "Bel" Lepe (33:14):

I seem to recall as part of a recent Microsoft earnings report where the Microsoft CEO actually said that, if you take a look back and look at all industries, less than 10% of all cloud workflows or potential cloud workflows are actually running the cloud. Therefore we're still very much in the early innings of the migration to cloud, which is crazy to think, right? AWS launched in 2006/2007, and its nuts, but 15/ 16 years into it, we still haven't seen a vast majority of potential cloud workflows move to the cloud. And so, that's where, yes, I think this is going to continue to be a very big part of it. Another major area of opportunity that we're seeing is around operational technology or OT. There's a bunch of OT that largely every business uses, especially if you're kind of more in the infrastructural or manufacturing spaces.

Belsasar "Bel" Lepe (34:10):

However, these are appliance based technology that also is still username and password based. Maybe you're a major broadcaster and the cameras that you're using to capture the broadcast signal that you're sending out nationally or your everts hardware or your control hardware, guess what? That operational technology is also largely not in the cloud, and it's still very disconnected from your identity provider. Therefore, as you see more things move from not in the cloud to on the cloud, that's also going to be a major tailwind towards this problem of unmanageable applications. More CIOs and more CISOs are going to be aware that OT presents another significant attack surface that also needs to be managed.

Matt Chiodi (35:00):

Let's switch gears, I think it's fairly well known that start-ups can be crazy. Therefore my question for you is, how do you stay fresh and keep learning?

Belsasar "Bel" Lepe (35:12):

I enjoy it, every day is actually extremely energizing. I'm a big runner, I like to take a step away and go out and run. However, even within the day-to-day, I love meeting with customers, it's extremely energizing to hear about their use cases and not a week or even day goes by where we don't find out some other workflow or use case around unmanageable applications. Therefore that also really energizes me; just finding out how big this problem is. It's really a mix, it's finding a variety of different aspects of the business to go into. Context switching can actually be a good thing for keeping the mind fresh. And then outside of work like I said, I'm a big runner, I have two kids, a four year old and one year old, and I love spending time with them. And so it's all about making it all work together at the right time, switching from one work stream to another work stream. It's a way to make sure that you stay focused and don't get burnt out.

Matt Chiodi (36:21):

Do you have any favorite sources of tech news? There are thousands of outlets out there, do you subscribe to any newsletters or aggregators? How do you stay current with at least what you want to stay current on?

Belsasar "Bel" Lepe (36:37):

I'm a member of a lot of founder slack channels; those are awesome! I wish there was actually a new source out there that would just take all of the interesting data feeds that are coming from the founder Slack channels and bubble them up because I don't have time to go through it all. However, that's a great source of news, founders more often than not tend to be tinkerers, and they're a little bit out ahead of new applications, new technologies that are being released. And I love that; I love being able to see what they're looking at, what they're excited about, and what they're thinking about. And the way that I get access to those is every single one of our investors usually has an online community for founders and are able to engage with those. Outside of that I'm a big fan of podcasts, this one included. I'm also a big fan of The Information, which is a very technology oriented newsletter. I definitely recommend that you all check that out. And then beyond that, it's chatting with industry experts. I try to set aside at least two hours a week to meet with our advisors and meet with new folks. I also meet with our customers to understand what's going on and going on from the perspective of what they're seeing on a daily basis. Personalizing it to specific problems, and specific areas that they're experiencing. Therefore there are a lot of signals that I try to collect.

Matt Chiodi (38:06):

Awesome, well this has been a great conversation and I've loved digging into your background. This is a problem that I think most people probably aren't fully aware of, so I think this will be a really good learning experience. Thanks so much for coming on!

Belsasar "Bel" Lepe (38:19):

Thank you for having me, I appreciate it man.

Narrator (38:24):

Thank you for joining us for today's episode. To find out more, please visit us at